Indonesia’s DP Bill Lacks a DPA, Despite GDPR Similarities

Indonesia’s draft Law on the Protection of Personal Data was submitted by the President to the House of Representatives in January 2020. Although the responsible Minister stated that he expected the Bill would be the first legislation to be enacted in 2020, Indonesian experts soon expect delays as a result of the COVID-19 pandemic, and so it has eventuated, with parliamentary consideration continuing a year later. This article analyses the Bill in the context of other Asian data privacy laws and the EU’s General Data Protection Regulation (GDPR). The most striking aspect of the Bill is that it fails to include what is generally considered to be the essential element of a data privacy law: a separate, specialised (and usually independent) data protection authority (DPA). Instead, all enforcement powers are in the hands of the Minister of Communication and Information. There have been quite a few earlier versions of a data privacy Bill drafted by the Indonesian government, but all have involved a specialised DPA. In a recent version, the Public Information Commission was going to act as the DPA, a combination of data privacy responsibilities with Freedom of Information/Right to Information (FOI/RTI) responsibilities. Otherwise, there are many aspects of the Bill with similarities to the GDPR. Its obligations apply comprehensively, to individuals, corporations, public agencies and other institutions, and it has extra-territorial scope. Processing of personal data may only occur if it has a legitimate basis. Indonesia has adopted the term ‘personal data owner’, and gives such ‘owners’ eight types of rights with GDPR influences. Seventeen GDPR-influenced types of obligations apply to data controllers. The Bill allows exports of personal data from Indonesia in four situations, one of which involves a ‘white list’ of countries with a level of data protection to or higher than Indonesia’s law. The Bill makes a wide range of enforcement measures possible, including administrative fines and compensation, but the are all largely at the discretion of actions by the Minister, with the risk that inadequate enforcement will mean that the Bill will be ignored by both data controllers and data owners. The article concludes that Indonesia is trading influence for irrelevance, by abandoning the inclusion of a separate DPA. It could have had one of the strongest and most influential laws in Asia, but the absence of a data protection authority will mean that it does not.